A Scheme to Base a Hash Function on a Block Cipher

  • Shoichi Hirose
  • Hidenori Kuwakado
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5381)


This article discusses the provable security of an iterated hash function using a block cipher. It assumes the construction using the Matyas-Meyer-Oseas (MMO) scheme for the compression function and the Merkle-Damgård with a permutation (MDP) for the domain extension transform. It is shown that this kind of hash function, MDP-MMO, is indifferentiable from the variable-input-length random oracle in the ideal cipher model. It is also shown that HMAC using MDP-MMO is a pseudorandom function if the underlying block cipher is a pseudorandom permutation under the related-key attack with respect to the permutation used in MDP. Actually, the latter result also assumes that the following function is a pseudorandom bit generator:
$$ (E_{IV}(K\oplus\texttt{opad})\oplus K\oplus\texttt{opad})\| (E_{IV}(K\oplus\texttt{ipad})\oplus K\oplus\texttt{ipad})\enspace, $$
where E is the underlying block cipher, IV is the fixed initial value of MDP-MMO, and opad and ipad are the binary strings used in HMAC. This assumption still seems reasonable for actual block ciphers, though it cannot be implied by the pseudorandomness of E as a block cipher. The results of this article imply that the security of a hash function may be reduced to the security of the underlying block cipher to more extent with the MMO compression function than with the Davies-Meyer (DM) compression function, though the DM scheme is implicitly used by the widely used hash functions such as SHA-1 and MD5.


  1. 1.
    Bellare, M.: New proofs for NMAC and HMAC: Security without collision-resistance. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 602–619. Springer, Heidelberg (2006); The full version is Cryptology ePrint Archive: Report 2006/043, http://eprint.iacr.org/ CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Canetti, R., Krawczyk, H.: Keying hash functions for message authentication. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 1–15. Springer, Heidelberg (1996)Google Scholar
  3. 3.
    Bellare, M., Kohno, T.: A theoretical treatment of related-key attacks: RKA-PRPs, RKA-PRFs. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 491–506. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Ristenpart, T.: Multi-property-preserving hash domain extension and the EMD transform. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 299–314. Springer, Heidelberg (2006); The full version is Cryptology ePrint Archive: Report 2006/399, http://eprint.iacr.org/ CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Code-based game-playing proofs and the security of triple encryption. Cryptology ePrint Archive, Report 2004/331 (2006), http://eprint.iacr.org/
  6. 6.
    Black, J., Rogaway, P., Shrimpton, T.: Black-box analysis of the block-cipher-based hash-function constructions from PGV. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 320–335. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Chang, D., Lee, S.-J., Nandi, M., Yung, M.: Indifferentiable security analysis of popular hash functions with prefix-free padding. In: Lai, X., Chen, K. (eds.) ASIACRYPT 2006. LNCS, vol. 4284, pp. 283–298. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  8. 8.
    Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: How to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Gong, Z., Lai, X., Chen, K.: A synthetic indifferentiability analysis of some block-cipher-based hash functions. Cryptology ePrint Archive, Report 2007/465 (2007), http://eprint.iacr.org/
  10. 10.
    Hirose, S., Park, J.H., Yun, A.: A simple variant of the Merkle-Damgård scheme with a permutation. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 113–129. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Kelsey, J.: A comment on draft FIPS 180-2. Public Comments on the Draft Federal Information Processing Standard (FIPS) Draft FIPS 180-2, Secure Hash Standard, SHS (2001)Google Scholar
  12. 12.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. Network Working Group RFC 2104 (1997)Google Scholar
  13. 13.
    Kuwakado, H., Morii, M.: Compression functions suitable for the multi-property-preserving transform. Cryptology ePrint Archive, Report 2007/302 (2007), http://eprint.iacr.org/
  14. 14.
    Matyas, S.M., Meyer, C.H., Oseas, J.: Generating strong one-way functions with cryptographic algorithm. IBM Technical Disclosure Bulletin 27, 5658–5659 (1985)Google Scholar
  15. 15.
    Maurer, U.M., Renner, R.S., Holenstein, C.: Indifferentiability, impossibility results on reductions, and applications to the random oracle methodology. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 21–39. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  16. 16.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefMATHGoogle Scholar
  17. 17.
    Preneel, B., Govaerts, R., Vandewalle, J.: Hash functions based on block ciphers: A synthetic approach. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 368–378. Springer, Heidelberg (1994)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Shoichi Hirose
    • 1
  • Hidenori Kuwakado
    • 2
  1. 1.Graduate School of EngineeringUniversity of FukuiJapan
  2. 2.Graduate School of EngineeringKobe UniversityJapan

Personalised recommendations